I have to get all the chromium and firefox info logs out of /var/log/system.log and into a nice quiet /var/log/{chromium,firefox}.log.

However I can neither recall or find how to set that in syslog.conf. How would I go about doing that?

EDIT: I have been looking at the asl.conf file for the asl logging daemon. This seems to have something to do with what I want, although, going from syslog to a binary log format is directly against sense.

EDIT: To be very clear one can use syslog to dynamically slice the logs. Apple is transitioning from syslog to the apple system log. So the grep approach only deals with the deprecated /var/log syslogd files.

Switching to syslog-ng and logging to sqlite would seem to be easier, but who knows? I'm sure the proprietary format is the way to go.

Note that

syslog(1)

is the command line tool for the ASL database.

syslog(3)

is the C api to the syslogd daemon. The ASL replacement for the above is

asl(3)

Now,

syslogd(8)

has 2 modules, one writing to the files defined in

syslog.conf(5)

and one writing to the apple system log, as defined in

asl.conf(5)

ASL seems to be the future. Syslogd is configured by both syslog.conf and asl.conf.

2 Answers
2

The situation is like that: Applications can use the syslog(3) API and the asl(3) API to log messages, other data logged can come from the kernel or from the network. All of these messages are handed over to the syslog Daemon: syslogd(8). The syslogd now outputs log messages both the BSD way (it writes stuff into various basic log files like /var/log) and into a unified log message store (/var/log/asl.log).

If you want certain log messages not to appear in your log files (eg. you read logs like system.log by selecting them in Console.app), you will need to configure syslog.conf(5) like chiggsy said. If you want messages not to be stored in the asl database, you will need to configure asl.conf(5).

If, for example, you do not longer want Bonjour's (mDNSResponders) Log messages to be stored in the ASL db, you will need to add the following line to /etc/asl.conf :

? [= Sender mDNSResponder] ignore

… and then "gently" restart the syslogd by:

sudo killall -HUP syslogd

Now, messages from mDNSResponder will no longer appear when you go into Console.app's "all messages", but still exist within your logfiles.

Lastly, if you call syslog(1) from the command line, it acts as a nice frontend for querying the ASL db - you could for example ask it to show all messages from the Time Machine Backup starter that were logged in the last two hours by running:

syslog -k Facility -k Sender com.apple.backupd-auto -k Time ge −2h

…which explains, why the ASL db is handy: you can search for log files simultaneously in "all log files".